redline | ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe
Size

1.5MB
MD5

2f500d17337e9e612d6673e05ad272d6
SHA1

cecba24029cff3333bbfc6ee1dc2eff8deffa086
SHA256

ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91
SHA512

e3680ed43050fc2f3c7f228a10e64c633f16971b56d92e5f28ba2964845ec855a0032b36d90185f40707334d9eedf0e93061cc0f489d5fc03b5e1deb71f0859c
SSDEEP

24576:hyFfCkL4o+fHTkGnYu7KNBvneXVjKgq8ozWIKcKXnI75gp2GW0wmqO8vulVFwDxP:U5Cftz9oBveljKgqZ/fdChW3yjFwVpdd

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i17337301.exei03921348.exei52715888.exei70166531.exea17553422.exe

pid process

928 i17337301.exe
988 i03921348.exe
588 i52715888.exe
896 i70166531.exe
1264 a17553422.exe

pid	process
928	i17337301.exe
988	i03921348.exe
588	i52715888.exe
896	i70166531.exe
1264	a17553422.exe

Loads dropped DLL 10 IoCs

Processes:

ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exei17337301.exei03921348.exei52715888.exei70166531.exea17553422.exe

pid	process
860	ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe
928	i17337301.exe
928	i17337301.exe
988	i03921348.exe
988	i03921348.exe
588	i52715888.exe
588	i52715888.exe
896	i70166531.exe
896	i70166531.exe
1264	a17553422.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

i03921348.exei70166531.exei52715888.exeffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exei17337301.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i03921348.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i70166531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i70166531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i03921348.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i52715888.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i52715888.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i17337301.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i17337301.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exei17337301.exei03921348.exei52715888.exei70166531.exe

description	pid	process	target process
PID 860 wrote to memory of 928	860	ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe	i17337301.exe
PID 860 wrote to memory of 928	860	ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe	i17337301.exe
PID 860 wrote to memory of 928	860	ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe	i17337301.exe
PID 860 wrote to memory of 928	860	ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe	i17337301.exe
PID 860 wrote to memory of 928	860	ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe	i17337301.exe
PID 860 wrote to memory of 928	860	ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe	i17337301.exe
PID 860 wrote to memory of 928	860	ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe	i17337301.exe
PID 928 wrote to memory of 988	928	i17337301.exe	i03921348.exe
PID 928 wrote to memory of 988	928	i17337301.exe	i03921348.exe
PID 928 wrote to memory of 988	928	i17337301.exe	i03921348.exe
PID 928 wrote to memory of 988	928	i17337301.exe	i03921348.exe
PID 928 wrote to memory of 988	928	i17337301.exe	i03921348.exe
PID 928 wrote to memory of 988	928	i17337301.exe	i03921348.exe
PID 928 wrote to memory of 988	928	i17337301.exe	i03921348.exe
PID 988 wrote to memory of 588	988	i03921348.exe	i52715888.exe
PID 988 wrote to memory of 588	988	i03921348.exe	i52715888.exe
PID 988 wrote to memory of 588	988	i03921348.exe	i52715888.exe
PID 988 wrote to memory of 588	988	i03921348.exe	i52715888.exe
PID 988 wrote to memory of 588	988	i03921348.exe	i52715888.exe
PID 988 wrote to memory of 588	988	i03921348.exe	i52715888.exe
PID 988 wrote to memory of 588	988	i03921348.exe	i52715888.exe
PID 588 wrote to memory of 896	588	i52715888.exe	i70166531.exe
PID 588 wrote to memory of 896	588	i52715888.exe	i70166531.exe
PID 588 wrote to memory of 896	588	i52715888.exe	i70166531.exe
PID 588 wrote to memory of 896	588	i52715888.exe	i70166531.exe
PID 588 wrote to memory of 896	588	i52715888.exe	i70166531.exe
PID 588 wrote to memory of 896	588	i52715888.exe	i70166531.exe
PID 588 wrote to memory of 896	588	i52715888.exe	i70166531.exe
PID 896 wrote to memory of 1264	896	i70166531.exe	a17553422.exe
PID 896 wrote to memory of 1264	896	i70166531.exe	a17553422.exe
PID 896 wrote to memory of 1264	896	i70166531.exe	a17553422.exe
PID 896 wrote to memory of 1264	896	i70166531.exe	a17553422.exe
PID 896 wrote to memory of 1264	896	i70166531.exe	a17553422.exe
PID 896 wrote to memory of 1264	896	i70166531.exe	a17553422.exe
PID 896 wrote to memory of 1264	896	i70166531.exe	a17553422.exe

C:\Users\Admin\AppData\Local\Temp\ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe
"C:\Users\Admin\AppData\Local\Temp\ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17337301.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17337301.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i03921348.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i03921348.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52715888.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52715888.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:588

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i70166531.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i70166531.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a17553422.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a17553422.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17337301.exe
Filesize
1.3MB

MD5
1484c1cfa9841cb05566f0e86208623c

SHA1
b7b8af8387fc44a78485d02a97176a7c3f41bf90

SHA256
0dff9def885869609d0d35ec5776eaf891576a63ab929d7018d5f5a7bc390fdf

SHA512
838c27c7288e6be3f0d0aabffebe81e002cfdb9e80cc94c760e0214dd7a08a33a70140b24277dceb813f60c30908ebdeccf33af9ccd331c57509d792550bcb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17337301.exe
Filesize
1.3MB

MD5
1484c1cfa9841cb05566f0e86208623c

SHA1
b7b8af8387fc44a78485d02a97176a7c3f41bf90

SHA256
0dff9def885869609d0d35ec5776eaf891576a63ab929d7018d5f5a7bc390fdf

SHA512
838c27c7288e6be3f0d0aabffebe81e002cfdb9e80cc94c760e0214dd7a08a33a70140b24277dceb813f60c30908ebdeccf33af9ccd331c57509d792550bcb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i03921348.exe
Filesize
1015KB

MD5
1349d4373e71d1c13c3b00c728a14153

SHA1
e7143f988ab19486448f339e9078fe678336b719

SHA256
f927cc8ae71fd8b2fd1985f5ebeee653964c4cf2a0f36b43cf82b5f2534472cf

SHA512
048deb54e4c53af5720b9693b76175e5b939a069447b22c7df83eb591cec1af7907cca307c90610c25ec0f4c25c36674c2e3831f1bcf9af80a9093e281141f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i03921348.exe
Filesize
1015KB

MD5
1349d4373e71d1c13c3b00c728a14153

SHA1
e7143f988ab19486448f339e9078fe678336b719

SHA256
f927cc8ae71fd8b2fd1985f5ebeee653964c4cf2a0f36b43cf82b5f2534472cf

SHA512
048deb54e4c53af5720b9693b76175e5b939a069447b22c7df83eb591cec1af7907cca307c90610c25ec0f4c25c36674c2e3831f1bcf9af80a9093e281141f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52715888.exe
Filesize
843KB

MD5
b0fd3d85dcb3f451eedec5d688d970cd

SHA1
2ab9d71bd64732c37019771a5e43ba8edb2bb67d

SHA256
8e055a2ccb9e52aab68d1791a5c98ecaee330877741009ed0c0f15ec81870593

SHA512
5af7eaebcea0df43e171750284df00fbd92e9e64dea54762ef702520c6a57f8bab62a0f7e6bc23deeade4d84e62e144998ec9933c1f62c1760f5d9ab9cea6d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52715888.exe
Filesize
843KB

MD5
b0fd3d85dcb3f451eedec5d688d970cd

SHA1
2ab9d71bd64732c37019771a5e43ba8edb2bb67d

SHA256
8e055a2ccb9e52aab68d1791a5c98ecaee330877741009ed0c0f15ec81870593

SHA512
5af7eaebcea0df43e171750284df00fbd92e9e64dea54762ef702520c6a57f8bab62a0f7e6bc23deeade4d84e62e144998ec9933c1f62c1760f5d9ab9cea6d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i70166531.exe
Filesize
371KB

MD5
766853a43b90868d88a06baf36eb60bd

SHA1
159ccf2a099974b31c2c92c71295b3c3b7d94651

SHA256
a30ae3667cf05de6b5896f5fee47a761c760e80e2971dba32bc688e37f0ca07d

SHA512
e9648bab8d1f06142c32e6f9d9885b80be3b60d70cd807d4e612bf98aed95a776c20908981310cc9b6b5145dd3e094b16940f34f4a5878da2309ad213bb54623

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i70166531.exe
Filesize
371KB

MD5
766853a43b90868d88a06baf36eb60bd

SHA1
159ccf2a099974b31c2c92c71295b3c3b7d94651

SHA256
a30ae3667cf05de6b5896f5fee47a761c760e80e2971dba32bc688e37f0ca07d

SHA512
e9648bab8d1f06142c32e6f9d9885b80be3b60d70cd807d4e612bf98aed95a776c20908981310cc9b6b5145dd3e094b16940f34f4a5878da2309ad213bb54623

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a17553422.exe
Filesize
169KB

MD5
fe3e0a8ac53a91f9992c283f5828209b

SHA1
c08ddcc66b8533ba9d1b1adeda5e52363dd45b4f

SHA256
942c6f5c242fa3aab2531b87e8e9e4dc9bdb206d71fa5e23976b09cc7b494ef3

SHA512
ac7e14a956c6fcfe1a9566f9ff8be1271ece34c7bb71cdd79215a4123ebb844afba965f613548be6fa392646dfe27071bc2a4c21cefe15f27fa6a2c160029a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a17553422.exe
Filesize
169KB

MD5
fe3e0a8ac53a91f9992c283f5828209b

SHA1
c08ddcc66b8533ba9d1b1adeda5e52363dd45b4f

SHA256
942c6f5c242fa3aab2531b87e8e9e4dc9bdb206d71fa5e23976b09cc7b494ef3

SHA512
ac7e14a956c6fcfe1a9566f9ff8be1271ece34c7bb71cdd79215a4123ebb844afba965f613548be6fa392646dfe27071bc2a4c21cefe15f27fa6a2c160029a8a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17337301.exe
Filesize
1.3MB

MD5
1484c1cfa9841cb05566f0e86208623c

SHA1
b7b8af8387fc44a78485d02a97176a7c3f41bf90

SHA256
0dff9def885869609d0d35ec5776eaf891576a63ab929d7018d5f5a7bc390fdf

SHA512
838c27c7288e6be3f0d0aabffebe81e002cfdb9e80cc94c760e0214dd7a08a33a70140b24277dceb813f60c30908ebdeccf33af9ccd331c57509d792550bcb31

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17337301.exe
Filesize
1.3MB

MD5
1484c1cfa9841cb05566f0e86208623c

SHA1
b7b8af8387fc44a78485d02a97176a7c3f41bf90

SHA256
0dff9def885869609d0d35ec5776eaf891576a63ab929d7018d5f5a7bc390fdf

SHA512
838c27c7288e6be3f0d0aabffebe81e002cfdb9e80cc94c760e0214dd7a08a33a70140b24277dceb813f60c30908ebdeccf33af9ccd331c57509d792550bcb31

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i03921348.exe
Filesize
1015KB

MD5
1349d4373e71d1c13c3b00c728a14153

SHA1
e7143f988ab19486448f339e9078fe678336b719

SHA256
f927cc8ae71fd8b2fd1985f5ebeee653964c4cf2a0f36b43cf82b5f2534472cf

SHA512
048deb54e4c53af5720b9693b76175e5b939a069447b22c7df83eb591cec1af7907cca307c90610c25ec0f4c25c36674c2e3831f1bcf9af80a9093e281141f0c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i03921348.exe
Filesize
1015KB

MD5
1349d4373e71d1c13c3b00c728a14153

SHA1
e7143f988ab19486448f339e9078fe678336b719

SHA256
f927cc8ae71fd8b2fd1985f5ebeee653964c4cf2a0f36b43cf82b5f2534472cf

SHA512
048deb54e4c53af5720b9693b76175e5b939a069447b22c7df83eb591cec1af7907cca307c90610c25ec0f4c25c36674c2e3831f1bcf9af80a9093e281141f0c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52715888.exe
Filesize
843KB

MD5
b0fd3d85dcb3f451eedec5d688d970cd

SHA1
2ab9d71bd64732c37019771a5e43ba8edb2bb67d

SHA256
8e055a2ccb9e52aab68d1791a5c98ecaee330877741009ed0c0f15ec81870593

SHA512
5af7eaebcea0df43e171750284df00fbd92e9e64dea54762ef702520c6a57f8bab62a0f7e6bc23deeade4d84e62e144998ec9933c1f62c1760f5d9ab9cea6d3f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52715888.exe
Filesize
843KB

MD5
b0fd3d85dcb3f451eedec5d688d970cd

SHA1
2ab9d71bd64732c37019771a5e43ba8edb2bb67d

SHA256
8e055a2ccb9e52aab68d1791a5c98ecaee330877741009ed0c0f15ec81870593

SHA512
5af7eaebcea0df43e171750284df00fbd92e9e64dea54762ef702520c6a57f8bab62a0f7e6bc23deeade4d84e62e144998ec9933c1f62c1760f5d9ab9cea6d3f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i70166531.exe
Filesize
371KB

MD5
766853a43b90868d88a06baf36eb60bd

SHA1
159ccf2a099974b31c2c92c71295b3c3b7d94651

SHA256
a30ae3667cf05de6b5896f5fee47a761c760e80e2971dba32bc688e37f0ca07d

SHA512
e9648bab8d1f06142c32e6f9d9885b80be3b60d70cd807d4e612bf98aed95a776c20908981310cc9b6b5145dd3e094b16940f34f4a5878da2309ad213bb54623

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i70166531.exe
Filesize
371KB

MD5
766853a43b90868d88a06baf36eb60bd

SHA1
159ccf2a099974b31c2c92c71295b3c3b7d94651

SHA256
a30ae3667cf05de6b5896f5fee47a761c760e80e2971dba32bc688e37f0ca07d

SHA512
e9648bab8d1f06142c32e6f9d9885b80be3b60d70cd807d4e612bf98aed95a776c20908981310cc9b6b5145dd3e094b16940f34f4a5878da2309ad213bb54623

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a17553422.exe
Filesize
169KB

MD5
fe3e0a8ac53a91f9992c283f5828209b

SHA1
c08ddcc66b8533ba9d1b1adeda5e52363dd45b4f

SHA256
942c6f5c242fa3aab2531b87e8e9e4dc9bdb206d71fa5e23976b09cc7b494ef3

SHA512
ac7e14a956c6fcfe1a9566f9ff8be1271ece34c7bb71cdd79215a4123ebb844afba965f613548be6fa392646dfe27071bc2a4c21cefe15f27fa6a2c160029a8a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a17553422.exe
Filesize
169KB

MD5
fe3e0a8ac53a91f9992c283f5828209b

SHA1
c08ddcc66b8533ba9d1b1adeda5e52363dd45b4f

SHA256
942c6f5c242fa3aab2531b87e8e9e4dc9bdb206d71fa5e23976b09cc7b494ef3

SHA512
ac7e14a956c6fcfe1a9566f9ff8be1271ece34c7bb71cdd79215a4123ebb844afba965f613548be6fa392646dfe27071bc2a4c21cefe15f27fa6a2c160029a8a

Download Submit
memory/1264-104-0x0000000000810000-0x0000000000840000-memory.dmp

Filesize
192KB

Download
memory/1264-105-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/1264-106-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/1264-107-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download